[Rule Tuning] Fixes for Unsupported Fields (#6025)

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["endpoint", "network_traffic"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/05/01"
 
 [rule]
 author = ["Elastic"]
@@ -108,8 +108,8 @@ sequence by agent.id with maxspan=10s
       file.extension == "jsp" and
       file.path like "*/webapps/*" and
       not file.path like "*/WEB-INF/*" and
-      not file.path like "*/META-INF/*" and
-      not process.parent.name in ("apk", "apt", "apt-get", "dpkg", "yum", "rpm", "dnf", "systemd", "init")]
+      not file.path like "*/META-INF/*"
+  ]
 '''
 
 [[rule.threat]]

rules/linux/persistence_web_server_sus_destination_port.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/03/05"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/05/01"
 
 [rule]
 author = ["Elastic"]
@@ -101,8 +101,7 @@ network where host.os.type == "linux" and event.type == "start" and event.action
     "php-fcgi", "php-cgi.cagefs", "catalina.sh", "hiawatha", "lswsctrl"
   ) or
   user.name in ("apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9") or
-  user.id in ("33", "498", "48") or
-  (process.name == "java" and process.working_directory like "/u0?/*")
+  user.id in ("33", "498", "48")
 ) and
 network.direction == "egress" and destination.ip != null and
 not destination.port in (80, 443, 8080, 8443, 8000, 8888, 3128, 3306, 5432, 8220, 8082) and